Security: Gate Swagger/OpenAPI docs endpoint (/api/docs) in production

## Summary

The Swagger UI at `/api/docs` is publicly accessible without any authentication in production. This exposes the full API surface, parameter names, and schema details to unauthenticated users.

## Risk

- Enables reconnaissance: an attacker can enumerate all endpoints, parameter types, and expected payloads without any credentials.
- Combined with the unauthenticated production management API (see #222), this significantly lowers the bar for abuse.

## Proposed options

1. **Environment gate (recommended)**: Only register the Swagger plugin when `NODE_ENV !== 'production'` or when a `ENABLE_SWAGGER=true` env var is set.
2. **Basic auth on /api/docs**: Add a preHandler that checks a static credential from env before serving the docs.
3. **Remove in production builds**: Conditionally include the `@fastify/swagger-ui` plugin.

```typescript
// Option 1 — simplest
if (process.env.NODE_ENV !== 'production') {
  await app.register(swaggerUi, { ... });
}
```

**Priority: LOW (P3)**

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: Gate Swagger/OpenAPI docs endpoint (/api/docs) in production #233

Summary

Risk

Proposed options

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Security: Gate Swagger/OpenAPI docs endpoint (/api/docs) in production #233

Description

Summary

Risk

Proposed options

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions